Privilege Escalation – The attainment of new rights!

M.Sc. Jan Hörnemann

Privilege Escalation – The attainment of new rights!

In the context of a privilege escalation, the attacker tries to gain more rights on the target system. Such privilege escalation may be necessary to load additional malware or start other processes for which the ordinary user has no rights. In a recent case, an attacker can gain admin rights via a mouse’s configuration software.

Privilege Escalation – Breaking out of the user profile

There are several phases in a cyber attack, including those depicted in the Cyber Kill Chain. However, the seven steps of the Cyber Kill Chain shown do not include privilege escalation. Temporally, privilege escalation is in step four of the Cyber Kill Chain. The implementation of privilege escalation is usually based on exploiting a vulnerability that enables privilege escalation. Such a vulnerability must be exploited for the attacker to gain system privileges and cause further damage.

The privilege escalation is necessary in many attack scenarios because the user through whom the malware is installed, for example. by a phishing email, usually does not have system privileges, but only a customized user profile. These customized user profiles have only the rights that are necessary for the user’s everyday work. Therefore, an attacker often cannot use such profiles to inject malware or connect to a command and control server.

Rights extension via installation processes

Technically, the attacker is trying to cling on a process that has the necessary privileges that the attacker needs. Such processes could consist of installation or update processes, as they have the necessary rights to download data from external sources.

However, privilege escalation is not only possible remotely, but also on-site. If an attacker has access to an employee’s computer, he can try to install malware there. If the user profile does not have the necessary privileges to install the malware, the attacker must perform a privilege escalation on the spot. This can be done with hacking hardware such as. the Rubber Ducky, or other devices can be tried.

A recent example of Privilege Escalation being possible via a mouse has occurred with Razer mouse and keyboards.

Razer devices for privilege escalation

To gain system privileges on a foreign Windows 10 computer, an attacker only needs a Razer device and access to a user profile on that device. An attack scenario could be that the attacker poses as a handyman in a large company and looks for unlocked work PCs. As soon as an employee leaves his workplace but does not lock his computer, the attacker can start with privilege escalation.

A vulnerability in the Synapse software, which is automatically installed after an initial connection of a Razer device, allows the attacker to gain system privileges. An IT security researcher has even managed to reproduce this attack with an Android smartphone by making the smartphone pretend to be a Razer device.

Thus, the Twitter user shows that an attacker can already exercise privilege escalation with an inconspicuous-looking smartphone. The Razer company is aware of this vulnerability and is working on a security update at the time of writing this post.

This attack is only possible if a user leaves his workstation unlocked or gives strangers access to his own PC. These attack scenarios are easily prevented by reminding employees to lock their computers when they leave the workplace.

Photo of author

M.Sc. Jan Hörnemann

Hello dear reader, my name is Jan Hörnemann. I am a TeleTrust Information Security Professional (T.I.S.P.) and have been dealing with information security topics on an almost daily basis since 2016. CeHv10 was my first hands-on certification in the field. With a Master of Science degree in Internet Security, I have learned about many different aspects and try to share them in live hacking shows as well as on our blog. In addition, I am active as an information security officer and have been qualified by TÜV for this activity (ISB according to ISO 27001)